[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SOI QUESTIONS: 3.4 - 4.3
Keepalive messages do not contain any secret information so PFS is not
important.
Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.
> -----Original Message-----
> From: Sankar Ramanoorthi [mailto:sankar@speakeasy.net]
> Sent: Monday, July 01, 2002 11:01 PM
> To: andrew.krywaniuk@alcatel.com
> Cc: 'list'
> Subject: Re: SOI QUESTIONS: 3.4 - 4.3
>
>
> Hi,
>
> I was asking about PFS for keepalive messages - I was
> assuming these are
> sent as notification messages using IKE SA.
>
> -- sankar ramamoorthi (sankarr@juniper.net) --
>
>
> Andrew Krywaniuk wrote:
>
> >>If phase1 SA is used as the control channel for keep-alive messages,
> >>what are the implications with regard to PFS? That is, if
> PFS is used
> >>to rekey the ipsec session key after an interval for
> >>perfect-forward-secrecy, is it okay to continue using the phase1 SA
> >>for keep alive packets with out worrying about PFS?
> >>
> >
> >If the phase 2 is rekeyed using PFS as defined in IKEv1,
> where the new DH
> >key is deleted immediately, then you obviously get full PFS
> of the second
> >kind.
> >
> >If you were using the type of rekeying I was suggesting
> earlier, where the
> >new DH key is reused across multiple phase 2s and then
> deleted after a fixed
> >interval, you still get PFS of the second kind to within
> your PFS interval.
> >
> >Andrew
> >-------------------------------------------
> >There are no rules, only regulations. Luckily,
> >history has shown that with time, hard work,
> >and lots of love, anyone can be a technocrat.
> >
> >
> >
> >
>
>
>